Add a device assurance policy

You can define one or more device attributes that you want to check for each platform that you support. There’s no limit to the number of device assurance policies that you can add, but each set of device attributes must have a unique name.

Start this task

  1. In the Admin Console, go to SecurityDevice Assurance Policies.

  2. Click Add a policy.

  3. In the Add device assurance policy dialog, enter the following information:

    • Policy name: Specify a unique name for the set of device attributes that you want to define.

    • Platform: Select the device platform that you want to set device attributes for.

  4. Select platform-specific options.

    Platform Platform-specific options
    Android
    • Minimum Android version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device must have a screen lock. Also, select the checkbox if biometrics is required.

    • Disk encryption: If you select this option, the device disk must be encrypted. Devices with Android 8 or 9 support full-disk encryption. Devices with Android 10, or later, support full-disk encryption only if upgraded from a previous version. Devices with Android 10 and later use file-based encryption.

    • Hardware keystore: If you select this option, the device must support hardware-backed keys.

    • Rooting: If you select this option, Okta denies access on rooted devices.

    iOS
    • Minimum iOS version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device requires a passcode. Also, select the option if Touch ID or Face ID is required.

    • Jailbreak: If you select this option, Okta denies access on jailbroken devices.
    macOS

    • Minimum macOS version: Select a preset version from the list, or specify a custom version.

    • Lock screen: If you select this option, the device requires a password or Touch ID.

    • Disk encryption: If you select this option, the disk must be encrypted. Only internal and system volumes are evaluated for disk encryption. Volumes that are hidden, removable, automounted, or used for recovery aren’t evaluated for disk encryption.

    • Secure Enclave: If you select this option, the device must support Secure Enclave.
    Windows

    • Minimum Windows version: Select a preset version from the list, or specify a custom version.

    • Windows Hello must be enabled: If you select this option, users must have Windows Hello enabled on their devices. However, users don’t have to use Windows Hello or enter a password to sign in to apps.

    • Disk encryption: If you select this option, the disk must be encrypted.

    • Trusted Platform Module: If you select this option, the device must support a Trusted Platform Module.

  5. Click Save.

Related topics

Device assurance

Add user help for device assurance

Add device assurance to an authentication policy

Add a device assurance policy

Delete a device assurance policy